SELinux is a security operation system initiative by the US National Security Agency which attempts to improve security and prevent, for example, malicious software to obtain control of important system resources. SELinux typically provides for an object (e.g., a file system object such as a directory or a file) to be assigned a security context or a label which encapsulates the security attributes associated with the object.
SELinux uses security control mechanisms that can provide the accesses that a program needs to perform its task. To implement such security controls, SELinux typically provides a security label by associating access control attributes of the form user:role:type to objects.
Security labels may be assigned to the objects in several ways. For example, a primary method for assigning a security label to an object is for the object to adopt the label of the parent directory. A second method for assigning a label to an object can be through the use of a transition rule or policy. In this case, an example of a transition rule or policy may be: if a process which creates an object is called “A”, and if the directory in which the object is created is called “B”, then the object that is created is labeled “C”. A third method for assigning a label to an object can be through the use of a rule assignment within a process, such that, for example, if a certain process creates an object, then the object is labeled “D”.
In SELinux, a newly created object may need to have a label that is different from the label of the parent directory or the label that is applied by the transition rule. For example, an administrator may go into the /root directory and create the .ssh directory. The directory may get created with the label admin_home_t, however, a policy may require the directory to be labeled ssh_home_t. If the label is not corrected, when the user tries to use the content of the .ssh directory, a process may fail to read the content of the directory because the content of the .ssh directory is mislabeled (e.g., the process “sshd” is not permitted to read files labeled admin_home_t.)
In another example, a user may create a public_html directory in his or her home directory. The default label for content in the home directory may be user_home_t, however, the public_html directory may be required to be labeled http_user_content_t, otherwise an apache process (e.g., httpd_t) will not be permitted to read the content. A system administrator usually should manually correct such mislabeling, which is inconvenient and time consuming and creates a possibility of human errors.
In addition, a process can typically create any new file or directory in a parent directory if such a new file or directory did not exist in the parent directory. For example, a malicious process could create a random new file or directory in a home directory, mislabel it as an authorized object, and then prevent the home directory from working or cause other problems in the file system.